?
Solved

HIPAA: Any requirement to seperate data viewing applications from databases?

Posted on 2009-04-29
5
Medium Priority
?
552 Views
Last Modified: 2013-11-14
Hello,

We've recently completed a successful (but small) prototype/pilot program involving the collection of "hazard-identification" data from health care workers.  Our "system" is comprised of 3 parts: a web-based data collection application, a data analysis application, and a database of stored data.  Although we don't specifically solicit sensitive info (directly covered by HIPAA) the health care workers frequently include this sort of information in their reports (to add context, for follow-up, etc.).

For the pilot program all of this was accomplished via a dedicated hosted server.  As we move forward, and expand, we're looking to implement a number of steps to insure that we remain HIPAA compliant "beyond the science project mode".  In working with the tech support engineers at the Tier II SAS 70 data center that we intend to use, we're being told that "your data base needs to be maintained on a separate server from any data analysis program."  

I understand the logic and rationale behind this -- and I appreciate the engineers input -- but I'd like to find a specific reference that stipulates the need for this particular set-up.  

If anyone could point me in the right direction, that would be great!  
0
Comment
Question by:blockmental
  • 3
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 24270938
Reading the Security Standards Technical Safeguards PDF at the HHS CMS Security Materials website -- there is no requirement to have separate servers to split the data from the app.

From the technical/ sys admin /user point of view, you should make the app able to be on a separate server, because you are bound to run into some user who will be running it on several small servers, need to do clusters, or has a security standard that says the same thing.


HHS CMS Security Materials
http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp

Security Standards Technical Safeguards [PDF, 238KB]
http://www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnicalSafeguards.pdf
0
 

Author Comment

by:blockmental
ID: 24271469
Hello jimpen,

I appreciate the input (and the links) and if you wouldn't mind, please...

As part of our "process" we serve as the 3rd-party "analysis provider" and we're the only ones with access to the data analysis app (ie, the "customers" can't run their own reports or view any of the raw data).  The only access the "customers" have to our software is via the web-based data collection app.

I'm not certain that this makes any difference WRT your comments about how a technical/sys admin/user might view all of this... but I'm HUGELY interested in pursuing something akin to a "best practice".  The data center engineers are telling us that in order to set-up two servers, plus a firewall, we need to get into a rack (vs. just a standalone dedicated server with a firewall).

What they're saying makes sense, but not being a techie type I'm curious as to whether (or not) the requirement to place both servers in the same rack is necessary.  Normally I'd say, "just do it" but the "rack option" seems to have a considerable impact on the cost per month.  As soon as the rack option was introduced we suddenly started talking about more costly servers, a more expensive firewall, and the need (which I can understand) for some rather hefty monthly management fees.

Any thoughts on the rack (vs. no rack) set-up would be most welcome -- ESPECIALLY if the "rack option" doesn't add to our overall level of security/safe-keeping.

Many thanks again!
0
 
LVL 38

Accepted Solution

by:
Jim P. earned 2000 total points
ID: 24273221
Any web app -- whether gathering data or giving it back (especially financial & health data) needs to be in a DMZ. Even if you are using a VPN solution, you should restrict exposure of your internal network as much as possible to an outside vendor/ consumer.

Typically your web server resides in a space that can be accessed from the internet and has very restricted links through the firewall into the internal network to read/write data. Your web app is considered and N-Tier app -- meaning 50 or 500 users can be accessing it and it controls R/W of data to the database.

Then your analysis app can be done either as N-Tier or client-server. The N-Tier there can be a client install that goes to the app server and the app server connects to the database.  The reasons for going the app server route can vary:

Security: no client ever talks to the DB directly

Work load: the queries are complex/long running and the typical client can't do it.

Load balancing: You want to be able to have multiple app servers so you can
                           scale or load balance connections to the same DB.

Network: the clients and app server reside in remote location from the DB -- if
                your clients go back to the server direct you saturate the bandwidth.

Web enabled: you want to use a web page to do analysis instead of touching
                        clients every time you upgrade.

I can't tell you the best answer. It depends on your business model, your project plans, design considerations etc.

You will definitely need 2 servers -- the one that faces the web and the DB server. Beyond that it comes back to your design and model.
-----------------------------
N-Tier Application Architecture
http://www.webopedia.com/quick_ref/app.arch.asp

This link is for websphere -- but  it is pretty much the same regardless:
http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wasa_content/070104.html
0
 

Author Closing Comment

by:blockmental
ID: 31576248
Thanks jimpen!

I'm always amazed at the lengths to which people such as yourself will go to on this forum to explain things... and especially when it comes to non-techies wrestling with unfamiliar issues.

Again, many thanks for confirming/validating what the data center engineers were suggesting.

All the best!
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24273752
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most important things in an application is the query performance. This article intends to give you good tips to improve the performance of your queries.
Creating a Cordova application which allow user to save to/load from his Dropbox account the application database.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question